Private VLANs are another concept that is pretty easy to understand if you have a good understanding of how VLANs in general work. PVLANs are mostly used in larger multi-tenant environments when there is a need to segment off many different end hosts. There are a few terms associated with PVLANs that we should cover right away…
Primary VLAN – Ports in the primary VLAN are promiscuous. That is, they can talk with any other ports. Devices that need to be shared between multiple tenants need to live in the primary VLAN.
Secondary VLAN – Ports in the secondary VLAN are where the different tenants will live. There are two types of secondary ports, community and isolated.
Community ports – Members of a community port can talk to one another as well as to ports on the primary VLAN.
Isolated ports – Members of the isolated port can only talk to the primary VLAN. There can only be one isolated VLAN per primary VLAN.
Let’s look at a quick configuration so that you can get an idea of how this might work…
So here’s a really basic example of what a setup might look like. We have two switches trunked together that have multiple end hosts connected to them. Customer 1 and customer 2 each have their own secondary VLAN. Customers 3 and 4 are in the isolated VLAN since they only have a single host. All of he tenants need to be able to talk to the router at 192.168.0.1. The configuration looks something like…
VLAN Configuration
vlan 10
name pvlan-community-customer1
private-vlan community
vlan 20
name pvlan-community-customer2
private-vlan community
vlan 30
name pvlan-isolated
private-vlan isolated
vlan 100
name pvlan-primary
private-vlan primary
private-vlan association 10,20,30
Port configuration for Promiscuous port to router
interface FastEthernet1/0/2
switchport private-vlan mapping 100 10,20,30
switchport mode private-vlan promiscuous
end
Port configuration for trunk between switches
interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
end
Port configuration for Customer 1 Server 1 and Server 2
interface FastEthernet1/0/22
switchport private-vlan host-association 100 10
switchport mode private-vlan host
end
Port configuration for Customer 2 Server 1 and Server 2
interface FastEthernet1/0/23
switchport private-vlan host-association 100 20
switchport mode private-vlan host
end
Port configuration for Customer 3 Server 1
interface FastEthernet1/0/21
switchport private-vlan host-association 100 30
switchport mode private-vlan host
end
Port configuration for Customer 4 Server 1
interface FastEthernet1/0/21
switchport private-vlan host-association 100 30
switchport mode private-vlan host
end
So that’s really all there is to it. The main idea is that all secondary VLANs need to be mapped to the primary VLAN. Here’s a quick breakdown of connectivity in this configuration…
As further confirmation, here is the output from 192.168.0.50 as it tries to connect to all of the hosts…
C:\>ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Reply from 192.168.0.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\>ping 192.168.0.47
Pinging 192.168.0.47 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.47:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 192.168.0.48
Pinging 192.168.0.48 with 32 bytes of data:
Reply from 192.168.0.48: bytes=32 time=1ms TTL=255
Reply from 192.168.0.48: bytes=32 time<1ms TTL=255
Reply from 192.168.0.48: bytes=32 time<1ms TTL=255
Reply from 192.168.0.48: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.0.48:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\>ping 192.168.0.49
Pinging 192.168.0.49 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.49:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 192.168.0.50
Pinging 192.168.0.50 with 32 bytes of data:
Reply from 192.168.0.50: bytes=32 time<1ms TTL=128
Reply from 192.168.0.50: bytes=32 time<1ms TTL=128
Reply from 192.168.0.50: bytes=32 time<1ms TTL=128
Reply from 192.168.0.50: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.50:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>ping 192.168.0.51
Pinging 192.168.0.51 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.51:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>ping 192.168.0.52
Pinging 192.168.0.52 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.52:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
So as you can PVLANs are pretty handy, especially if you want to share a subnet between multiple customers.
Hi I really appreciated your teaching, but I didn’t realized on how is different the communitie port from isolated port? Both port configurations are the same.. Is really it?
Good catch! I forgot to include the VLAN configuration part of the post. Take another look and let me know what you think. Thanks!
Thanks Jon! Now it seems much more clear and made much more sense for me! =)
Perfect, thanks again for spotting that!
Two server from different Community , Can it possible to communicate with each other by using acl on router / Firewall.